Facebook passwords stolen by 25 malicious Android apps: What to do
The malevolent apps have been removed from the Play Store
Twenty-five malicious Android apps that were secretly designed to steal Facebook account credentials have been deleted from the Google Play Store.
According to French information-security firm Evina, the apps amassed over 2.34 million downloads before they were removed from the Play Store in early June.
- The best Android antivirus apps: stay protected on your phone
- Best VPN: add an extra layer of security with a virtual private network
- Just in: TikTok to stop spying on iPhone users after iOS14 exposes huge flaw
In a blog post, Evina's researchers wrote: “This malware could effectively ruin your online and offline life by making off with the credentials of one of your most valued pieces of digital real estate.”
The apps also bombarded users with ads and opened new web-browser tabs, according to angry user reviews on Google Play that were captured by Evina. It's not clear how many users ended up having their Facebook credentials stolen.
Tricking users
To trick Android users into downloading them, the 25 malicious apps masqueraded as games, flashlights, wallpapers, image and video editing software, QR code scanners, step counters and file managers.
While the apps performed these functions, the researchers said the apps could also “check if the Facebook app is running in foreground”.
If that was the case, the apps would then try to fool users into entering their Facebook credentials into a fake Facebook login page.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
“When an application is launched on your phone, the malware queries the application name," said the Evina blog post. "If it is a Facebook application, the malware will launch a browser that loads Facebook at the same time."
“The browser is displayed in the foreground which makes you think that the application launched it.”
Playing into hackers' hands
By performing these actions, users were effectively sending their Facebook credentials directly to hackers -- except they didn’t know.
The researchers explained: “When you enter your credentials into this browser, the malware executes JavaScript to retrieve them. The malware then sends your account information to a server.”
Evina discovered the malicious apps in May and subsequently reported them to Google. After reviewing the findings, Google went on to remove them at the start of June.
“Downloading unknown or low reviewed apps on the Play Store can be fraught with danger," Jake Moore, a security specialist at ESET, told Tom’s Guide.
"These apps can cause damage to a device or even steal credentials such as passwords and one time passwords. I would always suggest users fully research apps before they think of installing them.
He added: “Malware can lurk around on legitimate app stores but they are easier to distinguish form genuine apps as download numbers will usually be low. My advice would be to stick to well-known apps with good reviews and trusted app stores.
“Furthermore, to protect your social media and other accounts from being hacked, make sure you turn on two factor authentication in case your details are ever compromised.”
To that, we'd add that one of the best Android antivirus apps will help protect your phone from malicious apps such as these, whether they come from Google Play or "off-road" app markets.
- Read more: Today's best Android antivirus apps and Android VPNs
Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!